24 matches found
CVE-2026-30945 StudioCMS: IDOR — Arbitrary API Token Revocation Leading to Denial of Service
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocmsapi/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner...
CVE-2026-30825
hoppscotch is an open source API development ecosystem. Prior to version 2026.2.1, the DELETE /v1/access-tokens/revoke endpoint allows any authenticated user to delete any other user's PAT by providing its ID, with no ownership verification. This issue has been patched in version 2026.2.1...
The Graph 安全漏洞
The Graph is an open-source blockchain indexing protocol developed by The Graph. Versions of The Graph prior to 3.0.0 contained security vulnerabilities. These vulnerabilities stemmed from defects in the token ownership contract, which could allow users to access tokens that should be protected...
CVE-2026-28361
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...
Authorization Bypass Through User-Controlled Key
Overview nocodb is a NocoDB Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the McpTokenService.get, regenerateToken, and delete functions due to missing ownership validation for MCP tokens. An attacker with Creator role privileges can...
GHSA-P9X3-W98F-7J3Q NocoDB Missing Ownership Validation in MCP Token Operations
Summary The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. Details McpTokenService.get, regenerateToken, and delete did not filter by fkuserid. The analogous...
CVE-2026-28361
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...
CVE-2026-28361 NocoDB: Missing Ownership Validation in MCP Token Operations
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...
CVE-2026-28361
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...
CVE-2026-28361
CVE-2026-28361 affects NocoDB prior to version 0.301.3, where the MCP token service did not validate token ownership. This allowed a Creator within the same base to read, regenerate, or delete another user’s MCP tokens if the token ID was known. The issue is fixed in 0.301.3. Remediation: upgrade...
NocoDB 安全漏洞
NocoDB is an open-source alternative to Airtable. It converts any MySQL, PostgreSQL, SQL Server, SQLite, and MariaDB databases into intelligent spreadsheets. Versions of NocoDB prior to 0.301.3 contained a security vulnerability. This vulnerability stemmed from the lack of verification of token...
PT-2026-22632
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in...
EUVD-2025-23930
Malicious code in bioql PyPI...
CVE-2025-55138
LinkJoin through 882f196 mishandles token ownership in password reset...
CVE-2025-55138
LinkJoin through 882f196 mishandles token ownership in password reset...
PT-2025-32272 · Linkjoin · Linkjoin
Name of the Vulnerable Software and Affected Versions: LinkJoin versions through 882f196 Description: LinkJoin mishandles token ownership in the password reset functionality. Recommendations: Update LinkJoin to a version beyond 882f196...
LinkJoin 安全漏洞
LinkJoin is a virtual course and meeting software by the individual developer Seth Raphael. A security vulnerability exists in LinkJoin version 882f196 that stems from improper handling of token ownership in the password reset feature...
CVE-2025-55138
LinkJoin through 882f196 mishandles token ownership in password reset...
CVE-2025-55138
LinkJoin through 882f196 mishandles token ownership in password reset...
CVE-2025-55138
CVE-2025-55138 concerns LinkJoin versions through 882f196, where the password-reset flow mishandles token ownership. This is a network-accessible issue with high impact on confidentiality and integrity (CVSS 7.4, HIGH). Connected sources identify the root cause as improper token ownership handlin...